« Return to Thread: Remote Desktop Security
Re: Remote Desktop Security - Compliance VS Pen-Test
by Paul Johnston
::
Rate this Message:
Hi,
>Compliance is what it says on the tin; it is the process of verifying
>that your organisation is complying with the standards etc that it is
>obliged to, by law, or governing bodies, etc blah blah blah.
>
>Penetration testing (technical assessment) may be one of the ways that
>you establish whether you comply or not.
>
>
I think of them as two different style of testing. Say you're looking at
a firewall. In a compliance test you'd review a configuration dump. In a
pen test you'd run port scans against it and try exploits.
In general, compliance testing is easier to do and quicker, but you are
assuming the underlying implementation is secure, that it correctly
follows your configuration. I think they're reasonable assumptions in
practice, particularly for firewalls. Pen testing will also identify
configuration not being followed correctly, and it provides some
assurance of the security of the implementation. But there's a lot pen
testing will miss - back doors being a good example.
If you want the best possible testing, get both done. It'd be
interesting to get different people to do each bit and compare the results.
Paul
-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
>Compliance is what it says on the tin; it is the process of verifying
>that your organisation is complying with the standards etc that it is
>obliged to, by law, or governing bodies, etc blah blah blah.
>
>Penetration testing (technical assessment) may be one of the ways that
>you establish whether you comply or not.
>
>
I think of them as two different style of testing. Say you're looking at
a firewall. In a compliance test you'd review a configuration dump. In a
pen test you'd run port scans against it and try exploits.
In general, compliance testing is easier to do and quicker, but you are
assuming the underlying implementation is secure, that it correctly
follows your configuration. I think they're reasonable assumptions in
practice, particularly for firewalls. Pen testing will also identify
configuration not being followed correctly, and it provides some
assurance of the security of the implementation. But there's a lot pen
testing will miss - back doors being a good example.
If you want the best possible testing, get both done. It'd be
interesting to get different people to do each bit and compare the results.
Paul
-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
« Return to Thread: Remote Desktop Security
| Free embeddable forum powered by Nabble | Forum Help |
